A Web Application Firewall (WAF), though still evolving, is crucial for strong application layer defense. Unfortunately, HTTP is a stateless protocol, and session management is addressed at the application layer and not at the protocol layer. It is possible to bridge WAF and session objects on the .NET platform to build a stateful WAF (SWAF). Security expert Shreeraj Shah covers the concept, implementation, and deployment of SWAF.

From the author of

From the author of

A Web Application Firewall (WAF) is emerging as the first line of
defense for Web applications. A WAF provides sound content filtering on both
incoming and outgoing HTTP(S) traffic. Its working is simple: It looks for
malicious attack vectors arriving at the Web application—vectors that can
contain payloads for SQL injection, Cross-Site Scripting, LDAP, or OS command
injection. WAF compares each incoming request with its own rule or signature
database. Another important aspect of WAF is its logging and auditing
capability, which is most useful in Web application forensics and activity
measurement.

Problem Domain

A WAF is usually stateless and cannot provide session-based stateful defense
for Web applications. WAF treats each incoming request independently without
considering the state of the request. Each HTTP request arriving at the Web
application may have states that can be defined by internal session variables.
These states can be maintained over the network by using session cookies that
are passed by the Web application to respective clients.

Here’s an example. Consider of the various banking transactions being
carried out by a customer with a valid account. John makes a first request to
his banking login page and gets a session cookie along with the login page.
Simultaneously, the application creates a session variable login in
memory and sets it to untrusted.

Now John makes a second request that includes his credentials (a username and
password combination). The state of this request would be untrusted for
the Web application. The application verifies the credentials against those
stored in the backend SQL Server database and authenticates the user. The
application then alters the state of the login variable in memory to successful and sets other session variables as well. In a similar
manner, each incoming request may alter the state of the application depending
on its logic. Subsequent HTTP requests would have different states.

To reiterate, each HTTP request can have a specific state, and these states
can be mapped to internal session variables. But what if a rule set based on the
state of the HTTP request needs to be built? One of the approaches to resolving
this problem is to build a firewall module with access to session variables.
Each incoming request can then be analyzed against this session-based rule set
prior to being served the response.

Our objective here is to build a stateful WAF using HttpModule on
the .NET framework.